3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb

Analysis

max time kernel
44s
max time network
106s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Size

127KB
MD5

8786c0e7879e8351899954722ac3b2db
SHA1

d26fbd63cc89fcd387e1bb3710dc66a00764a679
SHA256

3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb
SHA512

2b6ee48a70dd1b86f4219c9791c26842ce1ac87269f17547818fc8ea29f5d9562528cef52c003cdfe0f5b005c9c542625444db67be4c42611a3c31c55c643931
SSDEEP

1536:snqdu3rbBGy3G8V0iuoKYMUYU6U5jUdPQc+n35KZg8/nouy8Iu:sqYMPsLMYjUtQl78vout

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

csrss.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exewdsg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wdsg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

wdsg.execsrss.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wdsg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

wdsg.execsrss.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wdsg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe

Executes dropped EXE 42 IoCs

Processes:

3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exewdsg.exedsdv.exesmss.exe smss.exe lsass.exelsass.execsrss.exelsass.exe csrss.execsrss.exe services.execsrss.exe services.exe smss.exesmss.exe csrss.exesmss.execsrss.exe services.exelsass.execonhost.exeParaysutki_VM_Communitylsass.exe smss.exeservices.exeping.exeservices.exe services.exeservices.exe lsass.execonhost.exewinlogon.exewinlogon.exewinlogon.exe winlogon.exe

pid	process
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
572	csrss.exe
868	csrss.exe
1560	csrss.exe
1036	csrss.exe
1712	smss.exe
272	smss.exe
1984	wdsg.exe
764	dsdv.exe
1960	smss.exe
108	smss.exe
892	lsass.exe
1936	lsass.exe
1612	csrss.exe
1172	lsass.exe
1492	csrss.exe
380	csrss.exe
544	services.exe
1168	csrss.exe
540	services.exe
1904	smss.exe
1636	smss.exe
1444	csrss.exe
1828	smss.exe
992	csrss.exe
1528	services.exe
1084	lsass.exe
1704	conhost.exe
860	Paraysutki_VM_Community
1156	lsass.exe
1964	smss.exe
1344	services.exe
1448	ping.exe
1932	services.exe
632	services.exe
1180	services.exe
2024	lsass.exe
1960	conhost.exe
1988	winlogon.exe
668	winlogon.exe
824	winlogon.exe
1680	winlogon.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
572	csrss.exe
572	csrss.exe
572	csrss.exe
868	csrss.exe
868	csrss.exe
868	csrss.exe
1560	csrss.exe
1560	csrss.exe
1036	csrss.exe
868	csrss.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
868	csrss.exe
272	smss.exe
1712	smss.exe
1560	csrss.exe
948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1560	csrss.exe
948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
272	smss.exe
1712	smss.exe
1712	smss.exe
272	smss.exe
1960	smss.exe
108	smss.exe
868	csrss.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
868	csrss.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1936	lsass.exe
892	lsass.exe
108	smss.exe
108	smss.exe
892	lsass.exe
892	lsass.exe
1172	lsass.exe
1612	csrss.exe
1172	lsass.exe
1172	lsass.exe
1612	csrss.exe
1492	csrss.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
380	csrss.exe
544	services.exe
1492	csrss.exe
544	services.exe
1168	csrss.exe
544	services.exe
540	services.exe
108	smss.exe
108	smss.exe
1904	smss.exe
1904	smss.exe
540	services.exe
1636	smss.exe
540	services.exe
1444	csrss.exe
1172	lsass.exe
1172	lsass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wdsg.exe

description	ioc	process
File opened (read-only)	\??\J:	wdsg.exe
File opened (read-only)	\??\M:	wdsg.exe
File opened (read-only)	\??\O:	wdsg.exe
File opened (read-only)	\??\Q:	wdsg.exe
File opened (read-only)	\??\T:	wdsg.exe
File opened (read-only)	\??\B:	wdsg.exe
File opened (read-only)	\??\E:	wdsg.exe
File opened (read-only)	\??\F:	wdsg.exe
File opened (read-only)	\??\H:	wdsg.exe
File opened (read-only)	\??\K:	wdsg.exe
File opened (read-only)	\??\L:	wdsg.exe
File opened (read-only)	\??\U:	wdsg.exe
File opened (read-only)	\??\I:	wdsg.exe
File opened (read-only)	\??\N:	wdsg.exe
File opened (read-only)	\??\P:	wdsg.exe
File opened (read-only)	\??\R:	wdsg.exe
File opened (read-only)	\??\W:	wdsg.exe
File opened (read-only)	\??\Z:	wdsg.exe
File opened (read-only)	\??\G:	wdsg.exe
File opened (read-only)	\??\S:	wdsg.exe
File opened (read-only)	\??\V:	wdsg.exe
File opened (read-only)	\??\X:	wdsg.exe
File opened (read-only)	\??\Y:	wdsg.exe

Drops file in System32 directory 64 IoCs

Processes:

services.exe lsass.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe smss.exe services.execsrss.exe lsass.execsrss.exelsass.exewinlogon.exesmss.execsrss.exelsass.exe smss.exeservices.execsrss.execsrss.exewdsg.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exesmss.exelsass.exewinlogon.execonhost.exeservices.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	wdsg.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	wdsg.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	wdsg.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	conhost.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe

Drops file in Program Files directory 34 IoCs

Processes:

wdsg.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	wdsg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	wdsg.exe

Modifies registry class 52 IoCs

Processes:

csrss.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exewdsg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	wdsg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	wdsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
900	ping.exe
1564	ping.exe
1468	ping.exe
904	ping.exe
952	ping.exe
1500	ping.exe
2000	ping.exe
1476	ping.exe
1728	ping.exe
1896	ping.exe
1664	ping.exe
896	ping.exe
1488	ping.exe
1448	ping.exe
1880	ping.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

smss.exe

pid	process
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exedsdv.exewdsg.exesmss.exe smss.exe lsass.exelsass.exelsass.exe csrss.execsrss.exe services.execsrss.execsrss.exe services.exe smss.execsrss.exesmss.exesmss.exe csrss.exe services.exelsass.execonhost.exeParaysutki_VM_Communitylsass.exe smss.exeservices.exeping.exeservices.exe services.exeservices.exe lsass.exewinlogon.execonhost.exewinlogon.exe

pid	process
948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
572	csrss.exe
868	csrss.exe
1560	csrss.exe
1036	csrss.exe
1712	smss.exe
272	smss.exe
764	dsdv.exe
1984	wdsg.exe
108	smss.exe
1960	smss.exe
892	lsass.exe
1936	lsass.exe
1172	lsass.exe
1612	csrss.exe
380	csrss.exe
544	services.exe
1492	csrss.exe
1168	csrss.exe
540	services.exe
1904	smss.exe
1444	csrss.exe
1828	smss.exe
1636	smss.exe
992	csrss.exe
1528	services.exe
1084	lsass.exe
1704	conhost.exe
860	Paraysutki_VM_Community
1156	lsass.exe
1964	smss.exe
1344	services.exe
1448	ping.exe
1932	services.exe
632	services.exe
1180	services.exe
2024	lsass.exe
1988	winlogon.exe
1960	conhost.exe
668	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 948 wrote to memory of 1992	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
PID 948 wrote to memory of 1992	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
PID 948 wrote to memory of 1992	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
PID 948 wrote to memory of 1992	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
PID 1992 wrote to memory of 572	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	csrss.exe
PID 1992 wrote to memory of 572	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	csrss.exe
PID 1992 wrote to memory of 572	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	csrss.exe
PID 1992 wrote to memory of 572	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	csrss.exe
PID 572 wrote to memory of 868	572	csrss.exe	csrss.exe
PID 572 wrote to memory of 868	572	csrss.exe	csrss.exe
PID 572 wrote to memory of 868	572	csrss.exe	csrss.exe
PID 572 wrote to memory of 868	572	csrss.exe	csrss.exe
PID 868 wrote to memory of 1560	868	csrss.exe	csrss.exe
PID 868 wrote to memory of 1560	868	csrss.exe	csrss.exe
PID 868 wrote to memory of 1560	868	csrss.exe	csrss.exe
PID 868 wrote to memory of 1560	868	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1036	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1036	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1036	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1036	1560	csrss.exe	csrss.exe
PID 1992 wrote to memory of 1712	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	smss.exe
PID 1992 wrote to memory of 1712	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	smss.exe
PID 1992 wrote to memory of 1712	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	smss.exe
PID 1992 wrote to memory of 1712	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	smss.exe
PID 868 wrote to memory of 272	868	csrss.exe	smss.exe
PID 868 wrote to memory of 272	868	csrss.exe	smss.exe
PID 868 wrote to memory of 272	868	csrss.exe	smss.exe
PID 868 wrote to memory of 272	868	csrss.exe	smss.exe
PID 1560 wrote to memory of 1984	1560	csrss.exe	wdsg.exe
PID 1560 wrote to memory of 1984	1560	csrss.exe	wdsg.exe
PID 1560 wrote to memory of 1984	1560	csrss.exe	wdsg.exe
PID 1560 wrote to memory of 1984	1560	csrss.exe	wdsg.exe
PID 948 wrote to memory of 764	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	dsdv.exe
PID 948 wrote to memory of 764	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	dsdv.exe
PID 948 wrote to memory of 764	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	dsdv.exe
PID 948 wrote to memory of 764	948	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	dsdv.exe
PID 1712 wrote to memory of 1960	1712	smss.exe	smss.exe
PID 1712 wrote to memory of 1960	1712	smss.exe	smss.exe
PID 1712 wrote to memory of 1960	1712	smss.exe	smss.exe
PID 1712 wrote to memory of 1960	1712	smss.exe	smss.exe
PID 272 wrote to memory of 108	272	smss.exe	smss.exe
PID 272 wrote to memory of 108	272	smss.exe	smss.exe
PID 272 wrote to memory of 108	272	smss.exe	smss.exe
PID 272 wrote to memory of 108	272	smss.exe	smss.exe
PID 868 wrote to memory of 892	868	csrss.exe	lsass.exe
PID 868 wrote to memory of 892	868	csrss.exe	lsass.exe
PID 868 wrote to memory of 892	868	csrss.exe	lsass.exe
PID 868 wrote to memory of 892	868	csrss.exe	lsass.exe
PID 1992 wrote to memory of 1936	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	lsass.exe
PID 1992 wrote to memory of 1936	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	lsass.exe
PID 1992 wrote to memory of 1936	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	lsass.exe
PID 1992 wrote to memory of 1936	1992	3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe	lsass.exe
PID 108 wrote to memory of 1612	108	smss.exe	csrss.exe
PID 108 wrote to memory of 1612	108	smss.exe	csrss.exe
PID 108 wrote to memory of 1612	108	smss.exe	csrss.exe
PID 108 wrote to memory of 1612	108	smss.exe	csrss.exe
PID 892 wrote to memory of 1172	892	lsass.exe	lsass.exe
PID 892 wrote to memory of 1172	892	lsass.exe	lsass.exe
PID 892 wrote to memory of 1172	892	lsass.exe	lsass.exe
PID 892 wrote to memory of 1172	892	lsass.exe	lsass.exe
PID 1172 wrote to memory of 1492	1172	lsass.exe	csrss.exe
PID 1172 wrote to memory of 1492	1172	lsass.exe	csrss.exe
PID 1172 wrote to memory of 1492	1172	lsass.exe	csrss.exe
PID 1172 wrote to memory of 1492	1172	lsass.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
"C:\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
C:\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1036

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wdsg.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\wdsg.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:380

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
PID:860

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:1968

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:952

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1728

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:900

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
PID:1528

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
PID:1704

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
PID:2012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:1480

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1564

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1468

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
PID:684

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
PID:1960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
PID:1996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
PID:1216

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1500

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1488

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1880

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:540

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
PID:1448

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
PID:1960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
PID:1784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
PID:1824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
PID:1436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
PID:812

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
PID:900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
PID:1740

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2000

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Executes dropped EXE
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
PID:1560

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
PID:844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
3⤵
PID:560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
PID:1268

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1664

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:904

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:896

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsdv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dsdv.exe" 3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-883044684476495882908789993-803747454-15146282921411130227-212762487413256855"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15601727831887723132165321409-214736738-1985782156-10453459290812950653590202"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\dsdv.exe
Filesize
76KB

MD5
7d0dda18b328f8913385f090329d3672

SHA1
c9efb144fe3f5d3ccddddc11375f968ad034cde7

SHA256
d96fed42ce152dc78afdd9ab1fea110c9b5418ed7e90f55cac1b3c813ffdc68c

SHA512
f3974b5311dad139c60d45fb944e91d5c549bf94aba8ab6759b96117c8ce75c52570bddc73c33ce39d2f89aabefad0df81e6edf62b6465b95a31c17789d3a1cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\wdsg.exe
Filesize
76KB

MD5
0b0b86530483bf9e972da32550e09f41

SHA1
d5f09517c4eba390b450e7deff46a0665d8f1305

SHA256
a9c487f460f0b59a722bf4a80677bc5c35bd18a29ca001eba82128b0404551b3

SHA512
82f7e839b72ca68a8a2f0777e6105418afb507a2dff35130b80a1e606f3fb27162fd894c2be74f540bce942e681ae8b5b586dc9c4b5c8d14516e9d13388c3e86

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsdv.exe
Filesize
76KB

MD5
7d0dda18b328f8913385f090329d3672

SHA1
c9efb144fe3f5d3ccddddc11375f968ad034cde7

SHA256
d96fed42ce152dc78afdd9ab1fea110c9b5418ed7e90f55cac1b3c813ffdc68c

SHA512
f3974b5311dad139c60d45fb944e91d5c549bf94aba8ab6759b96117c8ce75c52570bddc73c33ce39d2f89aabefad0df81e6edf62b6465b95a31c17789d3a1cc

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wdsg.exe
Filesize
76KB

MD5
0b0b86530483bf9e972da32550e09f41

SHA1
d5f09517c4eba390b450e7deff46a0665d8f1305

SHA256
a9c487f460f0b59a722bf4a80677bc5c35bd18a29ca001eba82128b0404551b3

SHA512
82f7e839b72ca68a8a2f0777e6105418afb507a2dff35130b80a1e606f3fb27162fd894c2be74f540bce942e681ae8b5b586dc9c4b5c8d14516e9d13388c3e86

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Users\Admin\AppData\Local\Temp\3db145a70f75ceea54337275315ac77dcd61e7ae9cf38f240d17e196194b57cb.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dsdv.exe
Filesize
76KB

MD5
7d0dda18b328f8913385f090329d3672

SHA1
c9efb144fe3f5d3ccddddc11375f968ad034cde7

SHA256
d96fed42ce152dc78afdd9ab1fea110c9b5418ed7e90f55cac1b3c813ffdc68c

SHA512
f3974b5311dad139c60d45fb944e91d5c549bf94aba8ab6759b96117c8ce75c52570bddc73c33ce39d2f89aabefad0df81e6edf62b6465b95a31c17789d3a1cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dsdv.exe
Filesize
76KB

MD5
7d0dda18b328f8913385f090329d3672

SHA1
c9efb144fe3f5d3ccddddc11375f968ad034cde7

SHA256
d96fed42ce152dc78afdd9ab1fea110c9b5418ed7e90f55cac1b3c813ffdc68c

SHA512
f3974b5311dad139c60d45fb944e91d5c549bf94aba8ab6759b96117c8ce75c52570bddc73c33ce39d2f89aabefad0df81e6edf62b6465b95a31c17789d3a1cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wdsg.exe
Filesize
76KB

MD5
0b0b86530483bf9e972da32550e09f41

SHA1
d5f09517c4eba390b450e7deff46a0665d8f1305

SHA256
a9c487f460f0b59a722bf4a80677bc5c35bd18a29ca001eba82128b0404551b3

SHA512
82f7e839b72ca68a8a2f0777e6105418afb507a2dff35130b80a1e606f3fb27162fd894c2be74f540bce942e681ae8b5b586dc9c4b5c8d14516e9d13388c3e86

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wdsg.exe
Filesize
76KB

MD5
0b0b86530483bf9e972da32550e09f41

SHA1
d5f09517c4eba390b450e7deff46a0665d8f1305

SHA256
a9c487f460f0b59a722bf4a80677bc5c35bd18a29ca001eba82128b0404551b3

SHA512
82f7e839b72ca68a8a2f0777e6105418afb507a2dff35130b80a1e606f3fb27162fd894c2be74f540bce942e681ae8b5b586dc9c4b5c8d14516e9d13388c3e86

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
473120bda0ae6eaeee2970c94b041fe0

SHA1
395ee98a948e25be8d08fa83a60304a3fd68eeb5

SHA256
c8942a26a228622e5f1a99004a4489389d95fb08b9e808695d9f027a7f4b6299

SHA512
38afd97d455a802baea250d0411369bdbc576d2e6aef15ef2ac2fa891ecf33eaecc48aa9c00ffb791d39c990b24fe151a9ce55783dd078a546b260e7bff45e9c

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
memory/108-343-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/108-171-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/108-139-0x0000000000000000-mapping.dmp

Download
memory/272-110-0x0000000000000000-mapping.dmp

Download
memory/272-166-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/272-317-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/380-185-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/380-177-0x0000000000000000-mapping.dmp

Download
memory/540-188-0x0000000000000000-mapping.dmp

Download
memory/540-294-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/540-327-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-232-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/544-179-0x0000000000000000-mapping.dmp

Download
memory/560-332-0x0000000000000000-mapping.dmp

Download
memory/572-102-0x00000000001E0000-0x0000000000209000-memory.dmp

Filesize
164KB

Download
memory/572-64-0x0000000000000000-mapping.dmp

Download
memory/632-242-0x0000000000000000-mapping.dmp

Download
memory/668-262-0x0000000000000000-mapping.dmp

Download
memory/684-306-0x0000000000000000-mapping.dmp

Download
memory/684-330-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/684-313-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/764-127-0x0000000000000000-mapping.dmp

Download
memory/812-285-0x0000000000000000-mapping.dmp

Download
memory/812-288-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/812-290-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/824-263-0x0000000000000000-mapping.dmp

Download
memory/844-305-0x0000000000000000-mapping.dmp

Download
memory/844-311-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/844-333-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-312-0x0000000000000000-mapping.dmp

Download
memory/860-218-0x0000000000000000-mapping.dmp

Download
memory/860-227-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-234-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/868-103-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/868-77-0x0000000000000000-mapping.dmp

Download
memory/892-318-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/892-229-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/892-156-0x0000000000000000-mapping.dmp

Download
memory/900-291-0x0000000000000000-mapping.dmp

Download
memory/948-71-0x00000000002D0000-0x00000000002F9000-memory.dmp

Filesize
164KB

Download
memory/948-70-0x00000000002D0000-0x00000000002F9000-memory.dmp

Filesize
164KB

Download
memory/952-340-0x0000000000000000-mapping.dmp

Download
memory/992-215-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/992-206-0x0000000000000000-mapping.dmp

Download
memory/1036-97-0x0000000000000000-mapping.dmp

Download
memory/1036-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1036-104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1084-213-0x0000000000000000-mapping.dmp

Download
memory/1156-223-0x0000000000000000-mapping.dmp

Download
memory/1156-235-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1168-196-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1168-187-0x0000000000000000-mapping.dmp

Download
memory/1172-170-0x0000000000000000-mapping.dmp

Download
memory/1172-345-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-231-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-256-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-248-0x0000000000000000-mapping.dmp

Download
memory/1344-236-0x0000000000000000-mapping.dmp

Download
memory/1436-282-0x0000000000000000-mapping.dmp

Download
memory/1444-198-0x0000000000000000-mapping.dmp

Download
memory/1448-233-0x0000000000000000-mapping.dmp

Download
memory/1448-323-0x0000000000000000-mapping.dmp

Download
memory/1448-247-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1476-319-0x0000000000000000-mapping.dmp

Download
memory/1480-320-0x0000000000000000-mapping.dmp

Download
memory/1492-176-0x0000000000000000-mapping.dmp

Download
memory/1528-303-0x0000000000260000-0x0000000000289000-memory.dmp

Filesize
164KB

Download
memory/1528-297-0x0000000000000000-mapping.dmp

Download
memory/1528-207-0x0000000000000000-mapping.dmp

Download
memory/1560-300-0x0000000000000000-mapping.dmp

Download
memory/1560-89-0x0000000000000000-mapping.dmp

Download
memory/1560-304-0x00000000002B0000-0x00000000002D9000-memory.dmp

Filesize
164KB

Download
memory/1612-167-0x0000000000000000-mapping.dmp

Download
memory/1636-212-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-197-0x0000000000000000-mapping.dmp

Download
memory/1680-272-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1680-266-0x0000000000000000-mapping.dmp

Download
memory/1704-217-0x0000000000000000-mapping.dmp

Download
memory/1712-108-0x0000000000000000-mapping.dmp

Download
memory/1712-178-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1712-168-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/1728-341-0x0000000000000000-mapping.dmp

Download
memory/1740-295-0x0000000000000000-mapping.dmp

Download
memory/1784-271-0x0000000000000000-mapping.dmp

Download
memory/1824-276-0x0000000000000000-mapping.dmp

Download
memory/1824-281-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1828-199-0x0000000000000000-mapping.dmp

Download
memory/1904-192-0x0000000000000000-mapping.dmp

Download
memory/1932-254-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-241-0x0000000000000000-mapping.dmp

Download
memory/1936-158-0x0000000000000000-mapping.dmp

Download
memory/1960-336-0x0000000000000000-mapping.dmp

Download
memory/1960-268-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-347-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-169-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-137-0x0000000000000000-mapping.dmp

Download
memory/1960-255-0x0000000000000000-mapping.dmp

Download
memory/1964-221-0x0000000000000000-mapping.dmp

Download
memory/1968-326-0x0000000000000000-mapping.dmp

Download
memory/1984-125-0x0000000000000000-mapping.dmp

Download
memory/1988-324-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/1988-287-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/1988-257-0x0000000000000000-mapping.dmp

Download
memory/1992-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-58-0x0000000000000000-mapping.dmp

Download
memory/2000-321-0x0000000000000000-mapping.dmp

Download
memory/2012-274-0x0000000000000000-mapping.dmp

Download
memory/2024-249-0x0000000000000000-mapping.dmp

Download
memory/2040-349-0x0000000000240000-0x0000000000269000-memory.dmp

Filesize
164KB

Download
memory/2040-329-0x0000000000000000-mapping.dmp

Download